Cybersecurity

– A critical component for Emergency Management

Thursday, May 25, 2017 FOUO 1

David Morgan CISSP, NSA/CNSS Security, CCNP, CIW SA, MCSE/MCSA

Cybersecurity Officer | Information System Security Manager

Information Technology Division - Cyber Security

O: 512.424.2199 | C: 512.284.0885

Overview

• What is Cybersecurity?

• What Cybersecurity is not

• Various Malware Threats

• Security Awareness

• What do we mean by ‘digital weapon’?

FOUO 2

Cybersecurity

• What is Cybersecurity? – “Is the body of technologies, processes and practices designed to

protect networks, computers, programs and data from attack, damage or unauthorized access. In the computing context, the term security

implies cybersecurity.” (http://whatis.techtarget.com/definition/cybersecurity)

• What Cybersecurity is NOT – Cybersecurity is NOT IT.

FOUO 3

Malware Threats

• What is Malware? – Malicious Software

• Many different types – Virus – Worms – Trojans – Spyware – Ransomware – Adware – Rootkits

• Delivered through email, websites, pop-ups, P2P, cracked/pirated software, removable devices (CD/DVD, USB), etc.

• Computers, tablets, phones, TVs, etc. can get them. Mac is just as vulnerable as PC or Android

FOUO 4

Malware Threats • Virus

– Has to be manually triggered but then is activated and can do any number of malicious things

• Worms – Similar to a virus but doesn’t have to be activated and can self-

replicate across a network

• Trojan – Program that appears to have a desired function but actually is waiting

for a trigger (time bomb) to perform a malicious action

• Spyware – Program that collects information about the user without the user’s

consent

• Ransomware

FOUO 5

Cryptolocker

FOUO 6

Hydracrypt

FOUO 7

Security Awareness

https://www.youtube.com/watch?v=KK_M-BeIGGQ

FOUO 8

Security Awareness

• Enter STUXNET…the first time in history that computer code has crossed over the threshold from cyber…to physical…to cause damage. – Most likely the most complex malware ever discovered

– About 500KB

– Contained several (more than a ‘few’) zero day exploits

– Released around 2008, not discovered for about 2 years

– Infected non-network-connected systems

– Digital certificates had to be counterfeited

– It changed the way cyber attacks will occur…it’s out and cannot be recalled

FOUO 9

Security Awareness

asdf FOUO 10

https://www.youtube.com/watch?v=KK_M-BeIGGQ

Security Awareness

FOUO 11

https://www.youtube.com/watch?v=KK_M-BeIGGQ

Security Awareness

https://www.youtube.com/watch?v=KK_M-BeIGGQ

FOUO 12

Security Awareness

• 11/8/2012…Siemens software targeted by Stuxnet still full of holes – Details from a cancelled Defcon presentation were revealed on

Thursday in Seoul http://www.computerworld.com/article/2493358/security0/siemens-software-targeted-by-stuxnet-still-full-of-holes.html

FOUO 13

Security Awareness

- Presently there is no public acknowledgement of who created/deployed Stuxnet.

- It is highly complex and required many different skillsets to build, as well as the unusual aspect of containing several, not just one, zero-day exploit.

- It behaved like a rootkit.

FOUO 14

Security Awareness

“The individual realization of the consequences of actions (with the ability to access intention and impact)”

http://securitycatalyst.com/why-the-definition-of-security-awareness-matters/

FOUO 15

Security Awareness

In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back

http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html

FOUO 16

Security Awareness

In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back

http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html

FOUO 17

“…a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus to initiate what is regarded as among the most destructive acts of computer sabotage on a company to date. The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.”

Security Awareness

L.A. Traffic Sign Is Hacked to Say "Read a F——ing Book“ - 2015 http://www.laweekly.com/news/la-traffic-sign-is-hacked-to-say-read-a-f-ing-book-photos-5331670

Hacking traffic lights with a laptop is easy - 2014…Armed with a laptop, University of Michigan security researchers hacked nearly 100 wirelessly networked traffic lights and were able to change the state of the lights on command. http://www.networkworld.com/article/2466551/microsoft-subnet/hacking-traffic-lights-with-a-laptop-is-easy.html

It's Scarily Easy To Hack A Traffic Light - 2016 Remember that scene from the Italian Job remake where the Napster (Seth Green) hacks into LA’s traffic control center and changes all the traffic lights to suit their getaway plan? Turns out

that it’s not too difficult to pull that off. http://jalopnik.com/its-scarily-easy-to-hack-a-traffic-light-1785313010

FOUO 18

Security Awareness

Medical Devices Are the Next Security Nightmare Hacked medical devices make for scary headlines. Dick Cheney ordered changes to his pacemaker to better protect it from hackers. Johnson & Johnson warned customers about a security bug in one of its insulin pumps last fall. And St. Jude has spent months dealing with the fallout of vulnerabilities in some of the company’s defibrillators, pacemakers, and other medical electronics. You’d think by now medical device companies would have learned something about security reform. Experts warn they haven’t. https://www.wired.com/2017/03/medical-devices-next-security-nightmare/

FOUO 19

Security Awareness

https://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/#78f1d9de3c7e

FOUO 20

Things" when it comes to medical devices. He's skittish about talking about what he's found exposed online, but it has included fetal heart monitors and the power switch for the neuro-surgery wing of a hospital.

The Crazy Things A Savvy Shodan Searcher Can Find Exposed On The Internet

Security Awareness

Iranians Hacked From Wall Street to New York Dam, U.S. Says - 2016 https://www.bloomberg.com/news/articles/2016-03-24/u-s-charges-iranian-hackers-in-wall-street-cyberattacks-im6b43tt

FOUO 21

Security Awareness

Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say – April 2017

“Security officials have warned for years about the risks that hacking attacks can pose to infrastructure. The number of attacks on critical infrastructure appears to have risen: to nearly 300 in 2015 from just under 200 in 2012, according to federal data. In 2013, hackers tied to the Iranian military tried to gain control of a small dam in upstate New York.”

https://www.nytimes.com/2017/04/08/us/dallas-emergency-sirens-hacking.html?_r=0

FOUO 22

Security Awareness

FOUO 23

U.S. Indicts 7 Iranians in Cyberattacks on Banks and a Dam – March 2016 “WASHINGTON — The Justice Department on Thursday unsealed an indictment against seven computer specialists who regularly worked for Iran’s Islamic Revolutionary Guards Corps, charging that they carried out cyberattacks on dozens of American banks and tried to take over the controls of a small dam in a suburb of New York.” https://www.nytimes.com/2016/03/25/world/middleeast/us-indicts-iranians-in-cyberattacks-on-banks-and-a-dam.html

Security Awareness Mebroot (aka…Trojan.Mebroot) “…is a Trojan horse that modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer. “

https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99

FOUO 24

Security Awareness The timeline of infection shown below:

https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99

FOUO 25

Security Awareness Geographical Distribution

https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99

FOUO 26

Security Awareness Prevalence: Infection levels worldwide

https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99

FOUO 27

Security Awareness

Once infected systems were commonly infected with Torpig. These infections were commonly implemented via a ‘drive by download’.

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,

Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Department of Computer Science, University of California, Santa Barbara

{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

FOUO 28

Security Awareness

On the next page will be a full page example of a Torpig phishing page for Wells Fargo bank (shown below). With this type of man-in-the-middle (man-in-the-browser) phishing attack it’s difficult even for an alert user to detect. Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Department of Computer Science, University of California, Santa Barbara {bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

FOUO 29

Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Department of Computer Science, University of California, Santa Barbara {bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

FOUO 30

Security Awareness

There was a flaw which allowed a college class to issue their own certificate and actually take control of Torpig for a time. Introducing the self-signed CA.

Torpig also used a domain generating algorithm (DGA) which allowed the creation of multiple domains daily. A quick example of this was used by Conflicker which would generate 50,000 domains a day.

The use of DGA, which advantageous to the botnet herder, opens up a window of opportunity for another entity to take control of the botnets by registering the domain and returning a valid command/control server response…provided the botnet protocol was reverse engineered to determine this.

FOUO 31

Torpig IPs per Hour

Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Department of Computer Science, University of California, Santa Barbara {bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

1/29/2016 FOUO 32

Torpig Bots per Hour

Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Department of Computer Science, University of California, Santa Barbara {bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

1/29/2016 FOUO 33

Torpig Bot IDs and IPs per Hour

Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Department of Computer Science, University of California, Santa Barbara {bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

1/29/2016 FOUO 34

Closing Thoughts

Patching

Updates

Call in experts early on

Maintain vigilance

1/29/2016 FOUO 35

Questions?

FOUO 36